Tsclient — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/tsclient/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 12 May 2026 17:46:40 +0000Execution via TSClient Mountpointhttps://feed.craftedsignal.io/briefs/2026-05-execution-from-tsclient-mup/Tue, 12 May 2026 17:46:40 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-execution-from-tsclient-mup/The rule detects execution of processes from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on Windows hosts, which may indicate a lateral movement attempt.This detection rule identifies the execution of processes originating from the tsclient mount point in Windows environments. The tsclient directory is used by Remote Desktop Protocol (RDP) to share local resources, such as drives, from the client machine with the remote host. Attackers can leverage this shared mount point to transfer and execute malicious payloads on the target system, thereby achieving lateral movement within the network. Successful exploitation may lead to unauthorized access to sensitive data and systems, further compromising the organization’s security posture. This behavior is detected via process monitoring on the endpoint and analysis of the process executable path. The rule aims to detect post-exploitation activity, not initial access.

Attack Chain

  1. An attacker gains initial access to a user’s machine, possibly through phishing or exploiting a vulnerability.
  2. The attacker establishes an RDP session to a target host within the network.
  3. The attacker copies a malicious executable to a drive shared via RDP’s tsclient mountpoint.
  4. On the target host, the attacker navigates to the \\Device\\Mup\\tsclient directory, representing the shared drive.
  5. The attacker executes the malicious executable from the tsclient directory. This execution could be triggered via command line, script, or other execution mechanisms.
  6. The malicious executable performs actions such as reconnaissance, privilege escalation, or lateral movement.
  7. The attacker utilizes the compromised host to pivot and compromise other systems within the network.
  8. The attacker achieves their objectives, such as data exfiltration, ransomware deployment, or disruption of services.

Impact

Successful exploitation allows attackers to execute arbitrary code on the target system, potentially leading to complete system compromise. This can result in data theft, system disruption, or further lateral movement within the network. The number of victims and sectors targeted depends on the attacker’s objectives and the scope of the compromised environment. The rule detects potential lateral movement attempts and unauthorized code execution, which could lead to severe data breaches and financial losses.

Recommendation

  • Deploy the Sigma rule provided to your SIEM to detect execution from the TSClient mountpoint and tune for your environment.
  • Enable process creation logging with full command line auditing (e.g., via Sysmon) to ensure the rule has the necessary data to function (Data Source: Sysmon, Windows Security Event Logs).
  • Investigate and validate any alerts generated by the Sigma rule to determine if the execution from the TSClient mountpoint is legitimate or malicious (Sigma Rule).
  • Consider restricting RDP access and disabling drive redirection where possible to minimize the attack surface (Overview).
  • Implement application control policies to prevent the execution of unauthorized executables from the TSClient mountpoint (Overview).
]]>highadvisorylateral-movementexecutionrdptsclientwindows